Firewalls
Readings
Pfleeger: 7.4
Firewall
Private Network
Firewall
External Network
CSCE 522 - Farkas
Firewall Objectives
Keep intruders,
malicious code and
unwanted
traffic or
information out
Private Network
Proprietary data
Keep proprietary
and sensitive
information in
External attacks
External Network
CSCE 522 - Farkas
Accessibility
Security
Firewall Advantages
NFS services
SNMP
TFTP
NetBIOS
10
Controlled Access
11
Concentrated Security
12
Enhanced Privacy
E.g., finger:
13
14
Policy enforcement
15
Firewall Disadvantages
16
17
Back Doors
18
19
Data-Driven Attacks
Viruses:
Executable Content:
20
Other Issues
21
Firewall Components
Firewall Administrator
Firewall policy
Packet filters
transparent
does not change traffic, only passes it
Proxies
Active
Intercepts traffic and acts as an intermediary
CSCE 522 - Farkas
22
Firewall Administrator
23
Firewall Policy
24
25
policy
Unique to a firewall configuration
Difficult!
26
27
28
Private Network
Packet
Filter
Packet-level
rules
Outside
CSCE 522 - Farkas
29
Advantages:
30
Disadvantages:
Direct communication between multiple hosts and internal
network
Unsophisticated (protects against simple attacks)
Calibrating rule set may be tricky
Limited auditing
31
32
Proxy Firewalls
View
Reality
Private Network
Private Network
Bastion
Host
Proxy Server
Outside
Outside
33
Proxy Firewalls
Application Gateways
Circuit-Level Gateway
34
Application Gateways
Client
Application Gateway
CSCE 522 - Farkas
Server
35
Application Gateways
36
Application Gateways
Disadvantages:
37
Circuit-Level Gateways
38
Circuit-Level Gateways
Advantages:
39
Circuit-Level Gateways
Disadvantages:
40
Home Users
Home routers:
Come with built-in firewall
Generally simple packet filters
Can block all incoming connections on all ports if
desired
Open connections as needed
Examples:
Download files from outside using FTP: allow
incoming connections on Port 21
41
Windows Firewall
Functionality:
Help block computer viruses and worms from
reaching your computer
Ask for your permission to block or unblock
certain connection requests
Allow to create a record (a security log), if you
want one, that records successful and unsuccessful
attempts to connect to your computer
42
Windows Firewall
What it does not support:
43
ZoneAlarm Pro 5
PC-Cillin 2004 Internet Security
Norton Personal Firewall 2005
McAfee Personal Firewall 6.0 2005
44
Firewall Evaluation
45
46